Hotmail Gets Full Session Encryption

Microsoft's wildly popular webmail service received an important security update this week, with the software giant adding full session encryption capabilities. Prior to the update, Hotmail users could optionally log on to the service using an encrypted HTTPS-style connection, but subsequent activity on the site was unencrypted.

"Hotmail offers advanced security safeguards to help protect your email account from hijackers and fraud," Microsoft Group Program Manager Dick Craddock wrote in the company's Inside Windows Live blog. "You \\[now have\\] the option to enhance the security of your entire Hotmail session with HTTPS data encryption (via secure socket layers, or SSL) ... Once you enable this feature, all of your future connections to Hotmail will be delivered over SSL."

Hotmail infamously was awarded poor marks in a recent Digital Society security exam, in part because of its lack of full session encryption. Google's rival Gmail service has offered this capability for years and made it automatic in January; users who don't want to be protected can opt out.

Microsoft provides instructions for enabling full session encryption to Hotmail on its Connect with HTTPS page. Note, however, that if you do enable this functionality, you can no longer access Hotmail-based email via Windows desktop solutions such as The Outlook Hotmail Connector and Windows Live Mail, or via the Windows Live applications for Windows Mobile and Nokia phones. Alternatively, you can enable SSL encryption on the fly by using "https" in front of the Hotmail web address in your browser, instead of "http."

In addition to the Hotmail change, Microsoft added automatic SSL usage to its Windows Live SkyDrive, Photos, Docs, and Devices services, as well.